> Technique · RC4-encrypted PowerShell payload staging_

~/packetpursuit $ cat /intel/techniques/rc4-encrypted-powershell.md

typetechniqueconfidencehighcreated2026-05-30updated2026-05-30obfuscationscriptdefense-evasion

RC4-encrypted PowerShell payload staging

A malware staging technique in which a PowerShell payload is encrypted with RC4 and delivered inside another script (e.g. JavaScript or batch). At runtime, the outer script decrypts the RC4 ciphertext and passes it to PowerShell for execution.

What It Does

RC4 is a symmetric stream cipher. In this technique, the malware author RC4-encrypts a PowerShell script and embeds the ciphertext (often hex-encoded) inside a carrier file. The carrier also embeds the RC4 key. When executed, the carrier decrypts the payload and either writes it to a temporary file or passes it directly to powershell.exe / executes it via Invoke-Expression.

Detection / Fingerprint

  • Look for large hex strings (>100 KB) inside JavaScript or batch files
  • Look for variable names like $cipherData, $rc4Key, $sBox, KSA/PRGA loop patterns in PowerShell
  • The RC4 key is often a hex string or byte array embedded alongside the ciphertext

Reproduce on your own VMs

PowerShell RC4 encrypt/decrypt (research snippet)

function RC4-Encrypt($data, $key) {
    $S = 0..255
    $j = 0
    for ($i = 0; $i -lt 256; $i++) {
        $j = ($j + $S[$i] + $key[$i % $key.Length]) % 256
        $S[$i], $S[$j] = $S[$j], $S[$i]
    }
    $i = $j = 0
    $out = New-Object byte[] $data.Length
    for ($b = 0; $b -lt $data.Length; $b++) {
        $i = ($i + 1) % 256
        $j = ($j + $S[$i]) % 256
        $S[$i], $S[$j] = $S[$j], $S[$i]
        $k = $S[($S[$i] + $S[$j]) % 256]
        $out[$b] = $data[$b] -bxor $k
    }
    return $out
}

# Encrypt a payload
$payload = [System.Text.Encoding]::UTF8.GetBytes("Write-Host 'Hello RC4!'")
$key = [System.Text.Encoding]::UTF8.GetBytes("MySecretKey12345")
$encrypted = RC4-Encrypt $payload $key
$hex = ([BitConverter]::ToString($encrypted) -replace '-','')
Write-Host "Ciphertext hex: $hex"

Verification

After encrypting a benign payload, embed the hex string in a JS wrapper, have the wrapper decode and pass to PowerShell, and verify the payload executes correctly.

Defensive Countermeasures

  • Block powershell.exe execution from WScript/CScript contexts
  • Use AMSI and script-block logging to capture decrypted PowerShell before execution
  • Hunt for large hex blobs inside non-PE files

Pages where observed

  • spamitaInvio proforma.js embeds a base64 block that decodes to a PowerShell RC4 decryptor ^[report.md]